This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.
It would be important to upgrade to maven 3.2.3 as older versions are less secure: "The primary motivation for this quick release is to provide HTTPS access to Maven Central by default." taken from the release notes: http://maven.apache.org/docs/3.2.3/release-notes.html Of course I could switch to a local maven installation but then I have trouble with compile on save. See https://netbeans.org/bugzilla/show_bug.cgi?id=247982
Here some background information why I think this is P1: Otherwise this is insecure for ALL maven users of NetBeans. Before 3.2.3 Jars were fetched via HTTP, which is not really good: http://blog.ontoillogical.com/blog/2014/07/28/how-to-take-over-any-java-developer/ here is sonatype's response: http://blog.sonatype.com/2014/07/ssl_connectivity_for_central/
Doing a maven upgrade typically comes with the extra cost of incombatibility issues either on code level or with broken feature behavior and while focusing on other priorities, we have to be careful about pulling in a possible earthquake with side effects potentially popping up moths later. upgrading the bundled maven is just a question of time, but at the moment it is still open in what time horizon this will happen.
The embedded maven usage has a fairly low profile when it comes to the networking code in maven. Basically if you set a new maven in tools/options and avoid triggering the "download dependencies" or "download source/javadoc", you are more or less safe as the embedded code mostly works in offline mode for performance reasons. I suppose the download actions could be rewritten to use external maven as well and we could get rid of onlineembedder altogether.
*** Bug 249253 has been marked as a duplicate of this bug. ***
*** Bug 245829 has been marked as a duplicate of this bug. ***
*** Bug 252496 has been marked as a duplicate of this bug. ***
Many current maven plugins require newer versions of Maven than the 3.0.3 bundled with NetBeans 8.0.X. It was rather surprising to see that NetBeans 8.1 Beta only bundled 3.0.5. https://maven.apache.org/docs/history.html Is there a compelling reason to use 4 or 3 year old versions of maven vs something more current? For the plugins we are using our minimum is 3.2 and this seems pretty typical. It is a hassle to have every developer install maven and configure netbeans to use the installed version rather than the bundled version because netbeans is bundling some ancient release.
I would like to ask if someone at Netbeans could re-evaluate if this is now worth the effort: * This is a security issue as explained in the first two comments * Already 5 votes and marked as P1 * Several duplicates indicating a real priority from the community * Maven 3.3.9 is out and the bundled version is 3 years old * Still not fixed in 8.1
For 8.2, we're investigating the work to be done to upgrade to the latest Maven, Maven Indexer, and Lucene.
Please also investigate adding support for Maven features such as toolchains.xml (bug 189496), transitive dependency excludes (bug 250449) and project-specific jvm and command line options (bug 254716). While I fully agree this is an important issue, it is something that can easily be worked around, whereas NetBeans-specific support for Maven features isn't.
Change title back to "Update to Maven 3.2.3" after SPAM-attack
*** Bug 255325 has been marked as a duplicate of this bug. ***
fixed in jet-main #0062c8194dcc
the embedded maven is now 3.3.9
just downloaded 8.2 for Mac. And it is still shown 3.0.5 as bundled maven. How can I get a more recent? thx
Still seeing 3.0.5 bundled with 8.2.
(In reply to javydreamercsw from comment #17) > Still seeing 3.0.5 bundled with 8.2. this was fixed in trunk, not in 8.2
Just as a remark: If there is a new maven version compatible with Java 9 we should prepare to make another update for NetNeans 9.
Has anyone anyone a solution for this. I just downloaded 8.2. It says there a fix in trunk. It is really a problem. I am unable to use netbeans for deploying to Google App Engine.
I am unable to compile Jenkins. Detected Maven Version: 3.0.5 is not in the allowed range 3.1.0.